| View previous topic :: View next topic |
| Author |
Message |
moofbong
n00b
Joined: 25 Feb 2004
Posts: 10
Location: Ann Arbor, MI
|
 Posted: Fri Dec 09, 2005 8:06 pm Post subject: Samba permissions broken (was samba roaming profiles) |
 |
|
Hey,
I'm having trouble getting roaming profiles to work correctly with Samba as a server and Win2k and XP clients. On the first login, the profile is created successfully, but on subsequent logins, windows claims it doesn't have permission to access the profile. If I ssh to the server, I can read/write/edit the files just fine. getfacl returns the following for my profile directory:
| Code: | brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ getfacl .
# file: .
# owner: brandon.dimcheff
# group: westpole
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::--- |
If I create a file:
| Code: | brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ echo 'foo' > bar
brandon.dimcheff@unity /var/lib/samba/profiles/brandon.dimcheff $ cat bar
foo |
So that works fine. If I try to open the file from Windows, I get "access denied". In the security tab of the properties window, it shows my domain account having read and write access to the file. In Windows, even though it says I have rw privs, I can only create and delete files. Once saved in the profile share, I can no longer read them.
Here's my smb.conf:
| Code: | # Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/10/11 11:59:26
# Global parameters
[global]
workgroup = WESTPOLE_BETA
server string = Unity
map to guest = Bad User
smb passwd file = /etc/samba/private/smbpasswd
passdb backend = ldapsam:ldap://unity.westpole.com/
log file = /var/log/samba3/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
dns proxy = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
#delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
#delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
ldap admin dn = cn=Manager,dc=westpole,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Group
ldap idmap suffix = ou=People
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=westpole,dc=com
ldap ssl = start tls
ldap user suffix = ou=People
printer admin = @adm
create mask = 0774
directory mask = 0775
domain logons = yes
preferred master = yes
domain master = yes
os level = 65
hide dot files = yes
load printers = yes
printing = cups
printcap name = cups
security = user
guest ok = no
use client driver = no
# For Samba 3.x. This enables ClamAV on access scanning.
vfs object = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
writeable = No
[brother_hl_2700cn]
comment = Brother HL2700cn Network Printer
printable = yes
path = /var/spool/samba
public = yes
guest ok = yes
printer admin = root
[hp_laserjet_4000]
comment = HP LaserJet 4000 Network Printer
printable = yes
path = /var/spool/samba
public = yes
guest ok = yes
printer admin = root
# Now we setup our print drivers information!
[print$]
comment = Printer Drivers
path = /etc/samba/printer
guest ok = yes
browseable = yes
read only = yes
# Modify this to "username,root" if you don't want root to
# be the only printer admin)
write list = @adm,root
[fileserver]
comment = West Pole File Server
path = /mnt/fileserver
read only = No
hide dot files = yes
[backups]
comment = West Pole File Server Daily Backups
path = /mnt/dailies
read only = Yes
hide dot files = yes
[netlogon]
path = /var/lib/samba/netlogon
guest ok = no
read only = yes
browseable = no
[profiles]
path = /var/lib/samba/profiles
browseable = no
writeable = yes
default case = lower
preserve case = no
short preserve case = no
case sensitive = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = @smbusers @root @westpole
create mask = 0600
directory mask = 0700
profile acls = no |
Frankly I'm at a loss. I've tried playing with the sticky bit in the profiles directory to no avail. It also seems that permissions work incorrectly in other shares as well. For instance, if I change the group of a file to something other than my default group, I will not be able to do anything to the file as my user. Is there something I'm missing about permissions in general maybe?
Thanks,
Brandon
Last edited by moofbong on Thu Dec 15, 2005 4:33 pm; edited 1 time in total |
|
| Back to top |
|
 |
Scoody
n00b
Joined: 28 Jan 2005
Posts: 69
Location: Norway
|
| Posted: Sat Dec 10, 2005 8:13 pm Post subject: |
|
|
[profiles]
profile acls = yes
Could fix it.
_________________
Scoody. |
|
| Back to top |
|
|
Zeos
n00b
Joined: 26 Oct 2003
Posts: 13
|
| Posted: Mon Dec 12, 2005 2:09 am Post subject: |
|
|
Try this ...
On your windows box click start => run => gpedit.msc
Navigate to "Computer Configuration" => "Administrative Templates" => "System" => "User Profiles", change the setting "Do not check for user ownership of Roaming Profile Folders" to enabled.
I try to stay as far away from the windows boxen @ work as possible, but iirc there was some issue with this for us in the past  |
|
| Back to top |
|
|
Po0ky
Tux's lil' helper
Joined: 21 Apr 2005
Posts: 142
Location: Belgium
|
| Posted: Mon Dec 12, 2005 8:20 am Post subject: |
|
|
| Scoody wrote: | [profiles]
profile acls = yes
Could fix it. |
This doesn't really help with the acl's. By setting this directive, samba will always set specific acl's that are known to work with winxp clients.
| man smb.conf wrote: |
When not in domain mode with winbindd then the security info copied onto the local workstation has no meaning to the logged in
user (SID) on that workstation so the profile storing fails. Adding this parameter onto a share used for profile storage changes
two things about the returned Windows ACL. Firstly it changes the owner and group owner of all reported files and directories to
be BUILTIN\\Administrators, BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly it adds an ACE entry of
"Full Control" to the SID BUILTIN\\Users to every returned ACL. This will allow any Windows 2000 or XP workstation user to
access the profile.
|
_________________
-- I'll eat it-- |
|
| Back to top |
|
|
moofbong
n00b
Joined: 25 Feb 2004
Posts: 10
Location: Ann Arbor, MI
|
| Posted: Thu Dec 15, 2005 2:35 pm Post subject: |
|
|
Aha! I have made some progress on this. The real reason why the files can't be accessed seems to be that samba doesn't handle user and group read permissions correctly.
I cannot open the file when logged in as brandon.dimcheff via Samba when the perms are like this:
| Code: | brandon.dimcheff@unity ~ $ ls -als test
4 -rw------- 1 brandon.dimcheff westpole 668 Dec 14 15:00 test |
OR when they're 640. But I can when I change them to 644. NOTE: I can still WRITE to the files even when they're 600, I just can't READ them. Bizarre.
So anyhow, is there some setting that tweaks how Samba handles read bits?
Thanks again,
Brandon
_________________
If 'pro' is the opposite of 'con', what's the opposite of 'progress'? |
|
| Back to top |
|
|
moofbong
n00b
Joined: 25 Feb 2004
Posts: 10
Location: Ann Arbor, MI
|
| Posted: Mon Jul 03, 2006 7:22 pm Post subject: |
|
|
I'm still having these problems. We're starting to do stuff that really needs permissions to be working right, so I'm bringing it up again. 
Is there any way of asking samba what it thinks the permissions of a file are? Something like getfacl except with samba? Or is there detailed debugging output that I can enable that will show every file access attempt?
NOTE: This is NOT just profiles, either. All files in the samba share will not be accessible from Samba if they are not world readable.
Thanks again,
Brandon
_________________
If 'pro' is the opposite of 'con', what's the opposite of 'progress'? |
|
| Back to top |
|
|
moofbong
n00b
Joined: 25 Feb 2004
Posts: 10
Location: Ann Arbor, MI
|
| Posted: Mon Jul 03, 2006 7:58 pm Post subject: Debug Log |
|
|
Here's some info from the log when I attempted to 'cat test2' from a remote computer. It seems to think that permission is denied, even though the permissions should allow access:
| Code: | [2006/07/03 15:51:45, 3] smbd/process.c:process_smb(1194)
Transaction 321 of length 134
[2006/07/03 15:51:45, 3] smbd/process.c:switch_message(993)
switch message SMBntcreateX (pid 22541) conn 0x803b73f8
[2006/07/03 15:51:45, 3] smbd/dosmode.c:unix_mode(121)
unix_mode(untitled folder/test2) returning 0764
[2006/07/03 15:51:45, 3] smbd/open.c:open_file(276)
Error opening file untitled folder/test2 (Permission denied) (local_flags=0) (flags=0)
[2006/07/03 15:51:45, 3] smbd/error.c:unix_error_packet(90)
unix_error_packet: error string = Permission denied
[2006/07/03 15:51:45, 3] smbd/error.c:error_packet(146)
error packet at smbd/trans2.c(2632) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED |
The actual file permissions (not 0764 like the log claims, that's for sure)
| Code: | brandon.dimcheff@unity ~/untitled folder $ ls -als
total 17
0 drwx--S--- 3 brandon.dimcheff westpole 160 Jul 3 15:51 .
1 drwx------ 12 brandon.dimcheff westpole 816 Jul 3 15:51 ..
4 -rw--w---- 1 brandon.dimcheff westpole 4 Apr 12 17:41 test2 |
_________________
If 'pro' is the opposite of 'con', what's the opposite of 'progress'? |
|
| Back to top |
|
|
moofbong
n00b
Joined: 25 Feb 2004
Posts: 10
Location: Ann Arbor, MI
|
| Posted: Wed Jul 05, 2006 8:56 pm Post subject: smbclient dialog |
|
|
Here's a dialog I made in smbclient illustrating the problem:
| Code: | smb: \User\Brandon\test\> ls
. D 0 Wed Jul 5 16:51:41 2006
.. D 0 Mon Jul 3 16:06:45 2006
bar A 10 Mon Jul 3 16:09:54 2006
foo 5 Mon Jul 3 16:07:16 2006
61438 blocks of size 524288. 33649 blocks available
smb: \User\Brandon\test\> get foo
NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\foo
smb: \User\Brandon\test\> stat foo
File: \User\Brandon\test\foo
Size: 5 Blocks: 8 regular file
Inode: 17100 Links: 1
Access: (0600/-rw-------) Uid: 5000 Gid: 5000
Access: 2006-07-03 16:11:02 -0400
Modify: 2006-07-03 16:07:16 -0400
Change: 2006-07-05 09:58:33 -0400
smb: \User\Brandon\test\> get bar
getting file \User\Brandon\test\bar of size 10 as bar (9.8 kb/s) (average 1.8 kb/s)
smb: \User\Brandon\test\> stat bar
File: \User\Brandon\test\bar
Size: 10 Blocks: 8 regular file
Inode: 17101 Links: 1
Access: (0764/-rwxrw-r--) Uid: 5000 Gid: 5000
Access: 2006-07-05 16:52:02 -0400
Modify: 2006-07-03 16:09:54 -0400
Change: 2006-07-05 09:58:33 -0400
smb: \User\Brandon\test\> put baz
putting file baz as \User\Brandon\test\baz (3.9 kb/s) (average 0.6 kb/s)
smb: \User\Brandon\test\> get baz
getting file \User\Brandon\test\baz of size 4 as baz (3.9 kb/s) (average 1.9 kb/s)
smb: \User\Brandon\test\> stat baz
File: \User\Brandon\test\baz
Size: 4 Blocks: 8 regular file
Inode: 17099 Links: 1
Access: (0764/-rwxrw-r--) Uid: 5000 Gid: 5000
Access: 2006-07-05 16:52:15 -0400
Modify: 2006-07-05 16:52:07 -0400
Change: 2006-07-05 16:52:07 -0400
smb: \User\Brandon\test\> chmod 0600 baz
Pushing string of 'unlimited' length into non-SMB buffer!
smb: \User\Brandon\test\> stat baz
File: \User\Brandon\test\baz
Size: 4 Blocks: 8 regular file
Inode: 17099 Links: 1
Access: (0600/-rw-------) Uid: 5000 Gid: 5000
Access: 2006-07-05 16:52:15 -0400
Modify: 2006-07-05 16:52:07 -0400
Change: 2006-07-05 16:52:31 -0400
smb: \User\Brandon\test\> get baz
NT_STATUS_ACCESS_DENIED opening remote file \User\Brandon\test\baz
smb: \User\Brandon\test\>
|
_________________
If 'pro' is the opposite of 'con', what's the opposite of 'progress'? |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
